VMware Identity Manager supports multiple authentication methods. You can configure a single authentication method and you can set up chained, two-factor authentication. You can also use an authentication method that is external for RADIUS and SAML protocols.

The identity provider instance that you use with the VMware Identity Manager service creates an in-network federation authority that communicates with the service using SAML 2.0 assertions.

When you initially deploy the VMWare Identity Manager service, the connector is the initial identity provider for the service. Your existing Active Directory infrastructure is used for user authentication and management.

The following authentication methods are supported. You configure these authentication methods from the administration console.

Authentication Methods

Description

Password (on-premise deployment)

Without any configuration after Active Directory is configured, VMware Identity Manager supports Active Directory password authentication. This method authenticates users directly against Active Directory.

Kerberos for desktops

Kerberos authentication provides domain users with single sign-in access to their apps porta. Users do not need to sign in to their apps portal again after they log in to the network. Two Kerberos authentication methods can be configured, Kerberos authentication for desktop with Integrated Windows Authentication, and built-in Kerberos authentication for iOS 9 mobile device when a trust relationship is set up between Active Directory and AirWatch.

Certificate (on-premise deployment)

Certificate-based authentication can be configured to allow clients to authenticate with certificates on their desktop and mobile devices or to use a smart card adapter for authentication.

Certificate-based authentication is based on what the user has and what the person knows. An X.509 certificate uses the public key infrastructure standard to verify that a public key contained within the certificate belongs to the user.

RSA SecurID (on-premise deployment)

When RSA SecurID authentication is configured, VMware Identity Manager is configured as the authentication agent in the RSA SecurID server. RSA SecurID authentication requires users to use a token-based authentication system. RSA SecurID is an authentication method for users accessing VMware Identity Manager from outside the enterprise network.

RADIUS (on-premise deployment)

RADIUS authentication provides two-factor authentication options. You set up the RADIUS server that is accessible to the VMware Identity Manager service. When users sign in with their user name and passcode, an access request is submitted to the RADIUS server for authentication.

RSA Adaptive Authentication (on-premise deployment)

RSA authentication provides a stronger multi-factor authentication than only user name and password authentication against Active Directory. When RSA Adaptive Authentication is enabled, the risk indicators specified in the risk policy set up in the RSA Policy Management application. The VMware Identity Manager service configuration of adaptive authentication is used to determine the required authentication prompts.

Mobile SSO (for iOS)

Mobile SSO for iOS authentication is used for single sign-on authentication for AirWatch-managed iOS devices. Mobile SSO (for iOS) authentication uses a Key Distribution Center (KDC) that is part of the Identity Manager service. You must initiate the KDC service in the VMware Identity Manager service before you enable this authentication method.

Mobile SSO (for Android)

Mobile SSO for Android authentication is used for single sign-on authentication for AirWatch-managed Android devices. A proxy service is set up between the VMware Identity Manager service and AirWatch to retrieve the certificate from AirWatch for authentication.

Password (AirWatch Connector)

The AirWatch Cloud Connector can be integrated with the VMware Identity Manager service for user password authentication. You configure the VMware Identity Manager service to sync users from the AirWatch directory.

VMware Verify

VMware Verify can be used as the second authentication method when two-factor authentication is required. The first authentication method is user name and password, and the second authentication method is a VMware Verify request approval or code.

VMware Verify uses a third-party cloud service to deliver this feature to user devices. To do so, user information such as name, email, and phone number are stored in the service but not used for any purposes other than to deliver the feature.

Password (Local Directory)

The Password (Local Directory) method is enabled by default for the System-IDP identity provider used with the System Directory. It is applied to the default access policy.

After the authentication methods are configured, you create access policy rules that specify the authentication methods to be used by device type. Users are authenticated based on the authentication methods, the default access policy rules, network ranges, and the identity provider instance you configure. See Managing Authentication Methods to Apply to Users.